Skip to content

gh-130577: tarfile now validates archives to ensure member offsets are non-negative #137027

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Jul 28, 2025
Merged

gh-130577: tarfile now validates archives to ensure member offsets are non-negative #137027

merged 3 commits into from
Jul 28, 2025
+162 −0

Conversation

aeurielesn
Copy link
Contributor

@aeurielesn aeurielesn commented Jul 22, 2025
edited by github-actions bot
Loading

@aeurielesn aeurielesn requested a review from ethanfurman as a code owner July 22, 2025 22:44
@bedevere-app bedevere-app bot mentioned this pull request Jul 22, 2025
Open
gpshead
gpshead approved these changes Jul 25, 2025
View reviewed changes
Copy link
Member

@gpshead gpshead left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's rather sad that the number format used within tar files even explicitly allows a way to express negative values. is there even a use case for that in the file format(s)?

@gpshead gpshead added needs backport to 3.9 only security fixes needs backport to 3.10 only security fixes needs backport to 3.11 only security fixes needs backport to 3.12 only security fixes needs backport to 3.13 bugs and security fixes needs backport to 3.14 bugs and security fixes and removed needs backport to 3.9 only security fixes needs backport to 3.10 only security fixes needs backport to 3.11 only security fixes needs backport to 3.12 only security fixes needs backport to 3.13 bugs and security fixes labels Jul 25, 2025
@gpshead
Copy link
Member

gpshead commented Jul 25, 2025
edited
Loading

Please cherry pick this commit to your branch (mispaste fixed): aa57b01

we don't want a whatsnew entry for this; whats new is for major features not bugfixes. a whatsnew entry makes backporting a chore (thus me removing the auto-backport labels for now)

(github is refusing to let me push changes to your branch. Please always allow maintainers to push edits to PR branches.)

@gpshead
Copy link
Member

gpshead commented Jul 25, 2025

(corrected mispasted commit link above)

@gpshead gpshead self-assigned this Jul 25, 2025
@aeurielesn
Copy link
Contributor Author

I enabled the allow edits to avoid any further issues and I cherry-picked the commit from your personal fork.

@aeurielesn
Copy link
Contributor Author

By the way, thanks for the clarifications on the process 👍

@gpshead gpshead added needs backport to 3.9 only security fixes needs backport to 3.10 only security fixes needs backport to 3.11 only security fixes needs backport to 3.12 only security fixes labels Jul 27, 2025
@frenzymadness frenzymadness mentioned this pull request Aug 11, 2025
Merged
vstinner pushed a commit to vstinner/cpython that referenced this pull request Aug 11, 2025
@aeurielesn @gpshead @vstinner
pythongh-130577: tarfile now validates archives to ensure member offs…
55126ca 
…ets are non-negative (pythonGH-137027)

Co-authored-by: Gregory P. Smith <greg@krypto.org>
(cherry picked from commit 7040aa5)
@bedevere-app
Copy link

bedevere-app bot commented Aug 11, 2025

GH-137644 is a backport of this pull request to the 3.10 branch.

@bedevere-app
Copy link

bedevere-app bot commented Aug 11, 2025

GH-137645 is a backport of this pull request to the 3.9 branch.

This was referenced Aug 12, 2025
Merged
Merged
frenzymadness pushed a commit to fedora-python/cpython that referenced this pull request Aug 12, 2025
@aeurielesn @gpshead @frenzymadness
00467: tarfile CVE-2025-8194
8b10b44 
tarfile now validates archives to ensure member offsets are non-negative (pythonGH-137027)

Co-authored-by: Gregory P. Smith <greg@krypto.org>
frenzymadness pushed a commit to fedora-python/cpython that referenced this pull request Aug 12, 2025
@aeurielesn @gpshead @frenzymadness
00467: tarfile CVE-2025-8194
eae17ba 
tarfile now validates archives to ensure member offsets are non-negative (pythonGH-137027)

Co-authored-by: Gregory P. Smith <greg@krypto.org>
This was referenced Aug 12, 2025
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Open
Merged
Agent-Hellboy pushed a commit to Agent-Hellboy/cpython that referenced this pull request Aug 19, 2025
@aeurielesn @gpshead @Agent-Hellboy
pythongh-130577: tarfile now validates archives to ensure member offs…
ab78453 
…ets are non-negative (pythonGH-137027)

Co-authored-by: Gregory P. Smith <greg@krypto.org>
@github-actions github-actions bot mentioned this pull request Aug 19, 2025
Merged
pablogsal pushed a commit that referenced this pull request Aug 19, 2025
@miss-islington @aeurielesn @gpshead
[3.11] gh-130577: tarfile now validates archives to ensure member off…
b4ec174 
…sets are non-negative (GH-137027) (#137172)

gh-130577: tarfile now validates archives to ensure member offsets are non-negative (GH-137027)
(cherry picked from commit 7040aa5)

Co-authored-by: Alexander Urieles <aeurielesn@users.noreply.github.com>
Co-authored-by: Gregory P. Smith <greg@krypto.org>
@bedevere-bot
Copy link

⚠️⚠️⚠️ Buildbot failure ⚠️⚠️⚠️

Hi! The buildbot s390x RHEL9 Refleaks 3.11 (tier-3) has failed when building commit b4ec174.

What do you need to do:

  1. Don't panic.
  2. Check the buildbot page in the devguide if you don't know what the buildbots are or how they work.
  3. Go to the page of the buildbot that failed (https://buildbot.python.org/#/builders/1586/builds/63) and take a look at the build logs.
  4. Check if the failure is related to this commit (b4ec174) or if it is a false positive.
  5. If the failure is related to this commit, please, reflect that on the issue and make a new Pull Request with a fix.

You can take a look at the buildbot page here:

https://buildbot.python.org/#/builders/1586/builds/63

Failed tests:

  • test_typing

Test leaking resources:

  • test_typing: memory blocks

Summary of the results of the build (if available):

==

Click to see traceback logs 
remote: Enumerating objects: 11, done.        
remote: Counting objects:  14% (1/7)        
remote: Counting objects:  28% (2/7)        
remote: Counting objects:  42% (3/7)        
remote: Counting objects:  57% (4/7)        
remote: Counting objects:  71% (5/7)        
remote: Counting objects:  85% (6/7)        
remote: Counting objects: 100% (7/7)        
remote: Counting objects: 100% (7/7), done.        
remote: Compressing objects:  25% (1/4)        
remote: Compressing objects:  50% (2/4)        
remote: Compressing objects:  75% (3/4)        
remote: Compressing objects: 100% (4/4)        
remote: Compressing objects: 100% (4/4), done.        
remote: Total 11 (delta 3), reused 3 (delta 3), pack-reused 4 (from 2)        
From https://github.com/python/cpython
 * branch                    3.11       -> FETCH_HEAD
Note: switching to 'b4ec17488eedec36d3c05fec127df71c0071f6cb'.

You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by switching back to a branch.

If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -c with the switch command. Example:

  git switch -c <new-branch-name>

Or undo this operation with:

  git switch -

Turn off this advice by setting config variable advice.detachedHead to false

HEAD is now at b4ec17488ee [3.11] gh-130577: tarfile now validates archives to ensure member offsets are non-negative (GH-137027) (#137172)
Switched to and reset branch '3.11'

renaming build/scripts-3.11/pydoc3 to build/scripts-3.11/pydoc3.11
renaming build/scripts-3.11/idle3 to build/scripts-3.11/idle3.11
renaming build/scripts-3.11/2to3 to build/scripts-3.11/2to3-3.11

renaming build/scripts-3.11/pydoc3 to build/scripts-3.11/pydoc3.11
renaming build/scripts-3.11/idle3 to build/scripts-3.11/idle3.11
renaming build/scripts-3.11/2to3 to build/scripts-3.11/2to3-3.11

renaming build/scripts-3.11/pydoc3 to build/scripts-3.11/pydoc3.11
renaming build/scripts-3.11/idle3 to build/scripts-3.11/idle3.11
renaming build/scripts-3.11/2to3 to build/scripts-3.11/2to3-3.11
make: *** [Makefile:1852: buildbottest] Error 2

This was referenced Aug 20, 2025
Merged
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gpshead gpshead gpshead approved these changes

@ethanfurman ethanfurman ethanfurman approved these changes

@sethmlarson sethmlarson sethmlarson approved these changes

Assignees

@gpshead gpshead

Labels
type-security A security issue
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@aeurielesn @gpshead @bedevere-bot @ethanfurman @sethmlarson